Mac Malware Has Arrived

The first Apple-targeting malware to go wide has infected 600,000 Macs. IT needs to get proactive about educating Mac-toting BYOD employees who may be complacent about security.

The Flashback family of Trojans has been around and targeting the Mac platform since the middle of last year. The early versions, one of which presented itself as an installer for Flash Player, required user input and cooperation to infect a Mac. In recent days, a far more dangerous variant appeared. OS X/Flashback operated in a "drive-by" mode, meaning that a victim need do no more than visit a malicious Website to get infected.

Russian security firm Doctor Web estimates that over 4 million Web servers have been commandeered to spread the Trojan, and that 600,000 Macs worldwide have been infected as of April 5, 2012. Over half of the infected machines are in the US and 20 percent are in Canada, according to the security firm.

The creators of Flashback have used a variety of vulnerabilities in the Java runtime environment to get in the door. The early versions used a pair of JRE holes that had been discovered in 2008. The more dangerous current version began exploiting CVE-2012-0507 after March 16. This vulnerability had been reported to Oracle (the current custodian of Java) in January and patched for Windows machines in February.

Apple didn't patch it until April 3 (in fact it released two patches, amid speculation that the first one had been flawed, on the Lion platform at any rate). That six week window was sufficient to get over half a million Macs infected -- and almost all of those infections happened in the final two weeks.

Mac users are not accustomed to dealing with serious malware. Many believe their Macs to be invulnerable, in some intrinsic way, to the threats that have plagued the Wintel world for over a decade. In its marketing, Apple has encouraged this dangerous belief, when surely the company has known the truth all along: that the Mac was not invulnerable, merely not targeted yet.

The combination of this unwarranted overconfidence on Apple's part, and the fact that the company maintains its own version of Java, has meant that patches for Java vulnerabilities have been slow in coming out. Security expert Brian Krebs concluded in 2009 that Apple was averaging six months to issue a Java patch. So its recent accomplishment of turning around a fix in only six weeks may be counted as progress. But in the face of an active drive-by exploit in the wild, it is still far too slow.

In its latest OS, Lion, Apple does not include Java by default, but it is installed automatically the first time it is needed. In the previous OS, Snow Leopard, Java is present by default and is supported. Earlier OSs are no longer supported, but all have default Java installations. It's safe to assume that a fair number of users of these OS X systems are not in the habit of rushing to install security patches when they arrive from Apple.

For any company that allows or encourages employees to bring their own devices, the historical security of posture of OS X presents risks. IT should be pushing to educate Mac-bearing users to the realities of the security situation their machines operate in. They must not be allowed to jeopardize corporate security by a belief that security need not concern them.

Two weeks after Apple's Flashback disabler and Java update, the Russian security company that first reported on the outbreak, Dr. Web, says that infections are continuing and that the size of the botnet is not shrinking much, if at all: it's still around 650,000 strong.

To work well, AV bores deep into your BIOS and even when you remove it, some effects of the AV software linger; then they end up fighting with other AV programs. The result is a very slow computer and virtually no way to get the deep hooks out.

I am hoping that this does not prove so troublesome on the Mac. Though probably over time, as the bad guys develop boot-sector virii etc., Mac AV will have to burrow deeper. But so far it has been true that Mac apps, even ones dealing in deep system juju, are far more self-contained (thus un-installable) than correponding PC software. There isn't an equivalent of the PC's Registry, for example; every app keeps its own settings & preferences in a well-known location.

It's funny I recently purchased a new laptop with Windows 7 on it and I think the second thing I did after burning back up dvd's was to install antivirus ! When I got my mac - I didn't even think about it, but I should be safe since I do have all the updates installed as Keith recommends.

I am still trying to come to terms with the fact I might have to one day install an antivirus solution there as well.

AV software on Macs. Yikes. Welcome to my world. My PCs have tried a variety of antivirus solutions over the years and, strangely enough, I've come to the conclusions that AV software, while extending the life of your computer, can also be one of the biggest long-term threats, particularly if you use more than one brand of AV software on your system. To work well, AV bores deep into your BIOS and even when you remove it, some effects of the AV software linger; then they end up fighting with other AV programs. The result is a very slow computer and virtually no way to get the deep hooks out.

If you have installed all software updates to your Mac, you're in a better position than before. Apple did release the "remover" for Flashblock that was noted earler in these comments. Interestingly, it also changes the default for Java to "off." If you turn it on for some particular Web site that requires it, the Mac will start a timer and if Java doesn't get used again within a time window, off it goes again. So that's one vector for malware closed off. Now if only Flash would be off by default...

Interesting I just heard some on CNET recommend using antivirus on your Mac ! I had never seen this, and being a new Mac owner, I wonder if I should install ? I quess it can't hurt - I am going to take a look at the AVast solution - main thing it has to be FREE.

Yes, suddenly there is a lively market in AV software for Macs. Most have been available for 2 years or more, awaiting the time when the Mac user community would wake up and realize the need for some protection. I'm only aware of the free versions of a couple of packages — Clam and Sophos. I presume at least Sophos sells their software too, but don't know what distinguishes the pay version(s). (Clam is an open-source project.) Norton doesn't have a free version: $49.99 per year, just like on the PC. McAfee doesn't have anything for Mac that I can find.

I actually installed the free Sophos as soon as it was available, about a yer and a half ago, but backed off after an early bug killed 19 months of backups on my Time Capsule. They fixed this in a very responsive manner after I reached out to their CTO on Twitter, but I have been reflexively gun-shy about reinstalling Sophos. I now run with (free) ClamXav, which is considerably more lightweight. Doesn't scan incoming emails, e.g.